<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
</head>
<body>
On Fri, 20 Jan 2023 at 17:58, Otto Moerbeek <<a
href="mailto:otto@drijf.net" moz-do-not-send="true"
class="moz-txt-link-freetext">otto@drijf.net</a>> wrote:<br>
<div class="gmail_quote">
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Please
show your full configuration, including versions etc. Also, it<br>
is not clear which product you are using.<br>
<br>
The recursor docs say:<br>
<br>
"Note that once a Proxy Protocol header has been received, the
source<br>
address from the proxy header instead of the address of the
proxy will<br>
be checked against the allow-from ACL."<br>
<br>
<a
href="https://docs.powerdns.com/recursor/settings.html#proxy-protocol-from"
rel="noreferrer" target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">https://docs.powerdns.com/recursor/settings.html#proxy-protocol-from</a><br>
<br>
-Otto<br>
<br>
<br>
On Fri, Jan 20, 2023 at 05:48:31PM +0200, Robby Pedrica via
Pdns-users wrote:<br>
<br>
> Hi all,<br>
> <br>
> I'm not sure if this is a change in behaviour or I simply
haven't noticed<br>
> this before but after upgrading my docker image today, I've
seen queries<br>
> being dropped due to the mapped address in my proxy
mappings being used for<br>
> allow-from rather than the src/original address. I use a
private-public<br>
> address mapping in the proxy maps because I use the mapped
public IP as<br>
> part of ecs/edns.<br>
> <br>
> I've now set:<br>
> <br>
> proxy-protocol-from=<mapped ip> (or should this be
the src IP?)<br>
> <br>
> but this doesn't appear to have changed anything and
queries are still<br>
> being dropped.<br>
> <br>
> Can anyone advise where I'm going wrong? I don't mind
putting the mapped<br>
> (public) IP in allow-from but would prefer not to do it if
not required.<br>
> <br>
> Regards<br>
> <br>
> -- <br>
> Robby Pedrica<br>
> <br>
> c: +27 82 416 8696<br>
<br>
> _______________________________________________<br>
> Pdns-users mailing list<br>
> <a href="mailto:Pdns-users@mailman.powerdns.com"
target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">Pdns-users@mailman.powerdns.com</a><br>
> <a
href="https://mailman.powerdns.com/mailman/listinfo/pdns-users"
rel="noreferrer" target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">https://mailman.powerdns.com/mailman/listinfo/pdns-users</a><br>
<br>
</blockquote>
</div>
<br clear="all">
<br>
<div>Thanks Otto,<br>
<br>
(apologies for the wrong addressing)<br>
</div>
<div><br>
</div>
<div>I agree on the docs, but then the actual operation/result is
not consistent unless I'm misunderstanding the operation or
purpose of proxy-protocol-from.<br>
</div>
<div><br>
</div>
<div><i>Product:</i></div>
<div><br>
</div>
<div>pdns-recursor<br>
</div>
<div><br>
</div>
<div><i>Version:</i></div>
<div><br>
</div>
<div>4.8.1 (or docker image:latest)<br>
</div>
<div><br>
</div>
<div><i>Full recursor.conf:</i></div>
<div><br>
</div>
<div>allow-from=<private subnet 1>, private subnet 2></div>
<div>edns-subnet-allow-list=<a href="http://0.0.0.0/0">0.0.0.0/0</a>.</div>
<div>use-incoming-edns-subnet=yes</div>
<div>proxy-protocol-from=x.x.x.x (public address from proxy mapping)<br>
api-key=xxxx<br>
#config-dir=/usr/etc
<br>
daemon=no
<br>
#disable-syslog=no
<br>
edns-subnet-allow-list=0.0.0.0/0.
<br>
etc-hosts-file=/etc/hosts
<br>
# export-etc-hosts=off
<br>
#local-address=
<br>
local-port=53
<br>
loglevel=6
<br>
log-common-errors=yes
<br>
# max-cache-entries=1000000
<br>
# max-concurrent-requests-per-tcp-connection=10
<br>
max-tcp-clients=128
<br>
# max-tcp-per-client=0
<br>
# max-tcp-queries-per-connection=0
<br>
# network-timeout=1500
<br>
new-domain-log=yes
<br>
quiet=no
<br>
threads=2<br>
use-incoming-edns-subnet=yes
<br>
webserver=yes
<br>
webserver-address=0.0.0.0
<br>
webserver-allow-from=0.0.0.0/0
<br>
webserver-loglevel=none
<br>
webserver-password=xxxxx<br>
write-pid=yes
<br>
hint-file=/etc/named.root.txt
<br>
log-common-errors=no
<br>
lua-config-file=/etc/proxy-map.lua
<br>
max-busy-dot-probes=50
<br>
proxy-protocol-from=<mapped public IP 1>, <mapped public
IP 2><br>
<br>
</div>
<div><i>/etc/proxy-map.lua:</i></div>
<div><br>
protobufServer("syslog-ip:port"><br>
</div>
<div>addProxyMapping("private subnet 1", "mapped public IP 1")<br>
addProxyMapping("private subnet 2", "mapped public IP 2")</div>
<br>
<i>Logs from docker:</i><br>
<br>
recursor_1 | Jan 20 18:45:57 PowerDNS Recursor 0.0.0.0.HEAD.gHEAD
(C) 2001-2022 PowerDNS.COM BV
<br>
recursor_1 | Jan 20 18:45:57 Using 64-bits mode. Built using gcc
10.2.1 20210110 on Jan 20 2023 12:15:50 by root@localhost.
<br>
recursor_1 | Jan 20 18:45:57 PowerDNS comes with ABSOLUTELY NO
WARRANTY. This is free software, and you are welcome to redistribute
it according to the terms of the GPL version 2.
<br>
recursor_1 | Jan 20 18:45:57 msg="If using IPv6, please raise
sysctl net.ipv6.route.max_size to a size >= 16384"
subsystem="config" level="0" prio="Error" tid="0"
ts="1674240357.631" current="4096"
<br>
recursor_1 | Jan 20 18:45:57 msg="Enabling IPv4 transport for
outgoing queries" subsystem="config" level="0" prio="Notice" tid="0"
ts="1674240357.631"
<br>
recursor_1 | Jan 20 18:45:57 msg="NOT using IPv6 for outgoing
queries - add an IPv6 address (like '::') to query-local-address to
enable" subsystem="config" level="0" prio="Warning" tid="0"
ts="1674240357.631"
<br>
recursor_1 | Jan 20 18:45:57 msg="Setting access control"
subsystem="config" level="0" prio="Info" tid="0" ts="1674240357.631"
acl="allow-from" addresses="<private subnets>"
<br>
recursor_1 | Jan 20 18:45:57 msg="Will not send queries to"
subsystem="config" level="0" prio="Notice" tid="0"
ts="1674240357.635" addresses="127.0.0.0/8 10.0.0.0/8 100.64.0.0/10
169.254.0.0/16 192.168.0.0/16 172.16.0.0/12 ::1/128 fc00::/7
fe80::/10 0.0.0.0/8 192.0.0.0/24 192.0.2.0/24 198.51.100.0/24
203.0.113.0/24 240.0.0.0/4 ::/96 ::ffff:0:0/96 100::/64
2001:db8::/32 0.0.0.0 ::"
<br>
recursor_1 | Jan 20 18:45:57 msg="PowerDNS Recursor itself will
distribute queries over threads" subsystem="config" level="0"
prio="Notice" tid="0" ts="1674240357.635"
<br>
recursor_1 | Jan 20 18:45:57 msg="Inserting rfc 1918 private space
zones" subsystem="config" level="0" prio="Notice" tid="0"
ts="1674240357.635"
<br>
recursor_1 | Jan 20 18:45:57 msg="Listening for queries"
subsystem="config" level="0" prio="Info" tid="0" ts="1674240357.636"
address="0.0.0.0" proto="UDP"
<br>
recursor_1 | Jan 20 18:45:57 msg="Listening for queries"
subsystem="config" level="0" prio="Info" tid="0" ts="1674240357.636"
address="::" proto="UDP"
<br>
recursor_1 | Jan 20 18:45:57 msg="Enabled TCP data-ready filter for
(slight) DoS protection" subsystem="config" level="0" prio="Info"
tid="0" ts="1674240357.636"
<br>
recursor_1 | Jan 20 18:45:57 msg="Listening for queries"
subsystem="config" level="0" prio="Info" tid="0" ts="1674240357.636"
address="0.0.0.0" protocol="TCP"
<br>
recursor_1 | Jan 20 18:45:57 msg="Listening for queries"
subsystem="config" level="0" prio="Info" tid="0" ts="1674240357.636"
address="::" protocol="TCP"
<br>
recursor_1 | Jan 20 18:45:57 msg="Launching distributor threads"
subsystem="config" level="0" prio="Notice" tid="0"
ts="1674240357.637" count="1"
<br>
recursor_1 | Jan 20 18:45:57 msg="Launching worker threads"
subsystem="config" level="0" prio="Notice" tid="0"
ts="1674240357.637" count="4"
<br>
recursor_1 | Jan 20 18:45:57 msg="Enabling web server"
subsystem="runtime" level="0" prio="Info" tid="0"
ts="1674240357.639"
<br>
recursor_1 | Jan 20 18:45:57 msg="Listening for HTTP requests"
subsystem="webserver" level="0" prio="Info" tid="0"
ts="1674240357.639" address="0.0.0.0:8082"
<br>
recursor_1 | Jan 20 18:45:57 msg="Enabled multiplexer"
subsystem="runtime" level="0" prio="Info" tid="0"
ts="1674240357.639" name="epoll"
<br>
recursor_1 | Jan 20 18:45:58 msg="Not validating response for
security status update, this is a non-release version"
subsystem="housekeeping" level="0" prio="Warning" tid="0"
ts="1674240358.474"
query="recursor-0.0.0.0.HEAD.gHEAD.security-status.secpoll.powerdns.com"
version="0.0.0.0.HEAD.gHEAD"
<br>
recursor_1 | Jan 20 18:45:58 msg="DoT requested but not available"
subsystem="out" level="0" prio="Error" tid="6" ts="1674240358.476"
server="188.166.104.87:853"
<br>
recursor_1 | Jan 20 18:45:58 msg="Question" subsystem="syncres"
level="0" prio="Info" tid="3" ts="1674240358.649" ecs="" mtid="1"
proto="udp" qname="253.22.87.10.in-addr.arpa" qtype="PTR"
remote="x.x.x.x:53290"
<br>
recursor_1 | Jan 20 18:45:58 msg="Answer" subsystem="syncres"
level="0" prio="Info" tid="3" ts="1674240358.649" additional="0"
answers="0" dotout="0" ecs="" mtid="1" netms="0.000000"
outqueries="0" proto="udp" qname="253.22.87.10.in-addr.arpa"
qtype="PTR" rcode="3" rd="1" remote="10.189.17.132:53290" tcpout="0"
throttled="0" timeouts="0" totms="0.000000"
validationState="Indeterminate"
<br>
recursor_1 | Jan 20 18:45:58 msg="Question" subsystem="syncres"
level="0" prio="Info" tid="3" ts="1674240358.699" ecs="" mtid="2"
proto="udp" qname="xxxxxxxxxxx.com" qtype="A"
remote="10.189.17.132:39228"
<br>
recursor_1 | Jan 20 18:45:58 msg="Question answered from packet
cache" subsystem="in" level="0" prio="Notice" tid="3"
ts="1674240358.901" proto="udp" qname="x.x.x.x.in-addr.arpa"
qtype="PTR" remote="10.189.17.132:42879" source="x.x.x.x:42879"
tag="0"
<br>
...<br>
logs continue ... a sample DROP log entry:<br>
<br>
recursor_1 | Jan 20 18:47:56 msg="Dropping UDP query, address not
matched by allow-from" subsystem="in" level="0" prio="Error" tid="1"
ts="1674240476.878" proto="udp" source="<mapped public IP
1>:0"<br>
<br>
I have sanitised private information above.<br>
<br>
<div>There are 2 requirements:</div>
<div><br>
</div>
<div>1. accurately enable ACLs via allow-from</div>
<div>2. use proxy-mapped public address for ecs/edns queries</div>
<div><br>
<i>Issue statement</i><br>
<br>
</div>
<div>Currently, the proxy mapped address is being used to match
against allow-from rather than the source/original address. This
means that unless I add the publicly mapped proxy addresses to the
allow-from option, those queries will be dropped. While I don't
mind adding the public IPs there, I would prefer not to if not
required or if the config behaviour can be changed to use the
source address instead.<br>
</div>
<div><br>
</div>
<div>I'm hoping proxy-protocol-from does not affect ecs/edns
function but the docs don't discuss anything around this - I would
assume not.<br>
<br>
Update and per your replies:<br>
<br>
"I think proxyMapping and the use of ECS is explained in
<pre class="moz-quote-pre" wrap=""><a class="moz-txt-link-freetext" href="https://docs.powerdns.com/recursor/lua-config/proxymapping.html">https://docs.powerdns.com/recursor/lua-config/proxymapping.html</a>."
I understand proxymapping and ecs - this is not my issue, I'm just mentioning that I have it configured to provide context in case it is important to this specific query.
I've been through all Technical Blog articles, github issues and mailing list entries for 2022/2021 and can find no related articles or queries on this function. The documentation appears to be the only source of info I can find on proxy-protocol-from.
My system logging is still not working in the docker container (although I do get output from "docker-compose logs -f" which I've provided here). I'm not a container expert but it appears the docker image is not using systemd therefore no std log output. I would send a separate query regarding this.
</pre>
</div>
<div><br>
</div>
<div>Regards and thank you for your assistance.<br>
</div>
<div><br>
</div>
<div>Robby<br>
</div>
</body>
</html>